httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] New to SSL
Date Wed, 19 Mar 2003 12:05:45 GMT
>-----Original Message-----
>From: Scott Taylor [mailto:scott@dctchambers.com]
>Sent: Mittwoch, 19. März 2003 12:23
>To: users@httpd.apache.org
>Subject: [users@httpd] New to SSL
>
>
>Hello,
>
>I added my own signed certificate to this server and I'm 
>wondering if this 
>is normal for startup or did I do something wrong/unnecessary?  It's 
>running on Mandrake Linux 9.0.  This dialogue only shows up in 
>the log not 
>when running the startup script /etc/rc.d/init.d/httpd start
>
>First time I thought I broke it because it just sat there with 
>"Starting 
>HTTPD:".  It was only by reading the log did I realize it was 
>waiting from 
>input.

You could remove the passphrase (see
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC31 for instructions).

To be clear about what the passphrase is for: It prevents anyone
impersonating your site *even if* they steal your certificate (i.e.
private key). It doesn't make SSL "more secure" or anything like that...
If you are pretty sure that no-one can gain access to your SSL
webserver, then you don't need the passphrase.

Don't bother with any scripts which feed the passphrase in when required
- they defeat the whole purpose since the script has to know the
passphrase so anyone who can steal the cert can steal the script too.

Sometimes you get people complaining that they need the passphrase
because "I want to protect the cert from other users on the server". My
question would be, "what on earth are you doing letting other users run
around on a public SSL server!"

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

>
>Well, that was months ago now.  This morning I had a hardware 
>failure and 
>the server rebooted and just sits at the spot where httpd 
>starts up because 
>it is waiting for user input of the pass phrase.  Is there anything I 
>should do (should have done) different?  It's a bit of a pain, 
>but if it's 
>the secure way to do it I guess I can come in at 2AM to 
>restart it if needs 
>be (seldom ever happens).
>
>Cheers.
>
><log snippet>
>Mar 19 02:42:34 mustang httpd: Apache-AdvancedExtranetServer/1.3.26 
>mod_ssl/2.8.10 (Pass Phrase Dialog)
>Mar 19 02:42:34 mustang httpd: Some of your private key files 
>are encrypted 
>for security reasons.
>Mar 19 02:42:34 mustang httpd: In order to read them you have 
>to provide us 
>with the pass phrases.
></log snippet>
>
>Scott
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message